It is conjectured that SHA-1 has been broken from the "research" perspective but no in real world. That is that there is an algebraic attack that explores weaknesses on its algrebraic construction. The same happens for MD5 but MD5 has been practically broken by finding collisions in real world. Can we still use HMAC with SHA1 and be secure against preimage,second preimage and collisions?

2 Answers
2

I would recommend phasing out SHA-1 in any scenario where collision-resistance of a hash is required, for there is a wide consensus that an attack with $2^{69}$ complexity would work, it would already be feasible by a resourceful entity, and attacks only get better.

I'm still confident that SHA-1 is preimage and second-preimage resistant for all practical purposes in the foreseeable future, when its full output is used. Nevertheless, I would prefer SHA-256 or RIPEMD-160 when they are possible options.

I'm still confident that HMAC with SHA-1 is secure in any scenario where HMAC's key is assumed secret, for all practical purposes in the foreseeable future; this is because an improved security argument for HMAC remains valid with weak assumptions on the underlying (round function of the) hash. I could recommend it in a MAC application where using a tarnished name is not an issue, and speed matters.

I think it should be mentioned that the security guarantees given by that HMAC-paper is disputed. See Another Look at HMAC and the youtube presentation Another look at provable security. While controversial, they do bring up relevant points to the practical (security) merit of the Bellare paper.
–
hakojaFeb 28 '13 at 9:47

1

@hakoja: Good point. On my first (aborted) reading of the paper some time ago, I concluded that the points raised against Bellare's proof, while valid and interesting, have no impact on practical security (that's acknowledged; see note following theorem 1). Some of Bellare's proof is even improved. Another point raised seems to be that HMAC should not be used with short keys in a settings with many users, because there's an attack of cost inversely proportional to the number of users; this applies to many cryptosystems, and does not change that we can have high confidence in HMAC.
–
fgrieuFeb 28 '13 at 12:31

SHA-1 is only academicallybroken. So, it is still secure for all uses. The problem is, attacks only get better. So, migrating to SHA-2 (or at least planning for a SHA-2 migration) would be a good move.